DNS tunneling is a misuse of DNS. Domain Name Servers (DNS) have been called the internet’s equivalent of a phone book. Rather than remembering an IP address with up to twelve digits, you just need to know the domain name associated with the IP address. DNS tunneling attempts to hijack the protocol to use it as a covert communications protocol or a means of data exfiltration. It is a broadly overlooked security threat.
Years ago Jon Postel maintained the Assigned Numbers List at USC’s Information Sciences Institute. ARPANET users found they could easily give names to the numerical addresses of computers using the HOSTS.TXT file. That method still works today. Over time this method became too slow and cumbersome. In response, Paul Mockapetris created the Domain Name System.
DNS uses a tree data structure with a hierarchy of domains. Top level domains, such as .com and .net, remain on the right in a domain name. Subdomains extend to the left, separated by periods. The specifications for DNS are maintained by IETF, and a variety of RFCs give detail to the protocol.
A white paper from SANS Institute gives a good description of DNS tunneling and how to detect it. In their overview of DNS, they highlight a few of the more than 30 record types in DNS technology:
Other DNS attacks are better known than DNS tunneling. TechTarget lists five of them. NetworkWorld offers a top ten list in a slide presentation. Too often DNS tunneling slips under the radar and is ignored.
DNS tunneling was created to bypass the captive portals of Wi-Fi providers. While that may not be malicious on its own, it’s certainly not ethical. Hackaday called an exercise to use drive-by hotspot hacking (for a makeshift GPS) an “ethical grey zone”. Does the fact that they admitted it in public make it seem more justified? There may be valid reasons to try to get past a proxy using DNS tunneling – say, if you have to hack into your own network. But usually the purposes are more nefarious.
DNS tunneling uses other protocols to tunnel through DNS queries and responses. The attacker may use SSH, TCP, or HTTP. The internet needs DNS, and port 53 generally stays open in the firewall for that reason. Hackers have their choice of a dozen or so DNS tunneling applications to choose from on the web, but we won’t mention them here.
As a communications channel, DNS tunneling is slow and inefficient. DNS traffic has limited bandwidth. It uses the unreliable layer-four protocol UDP. So why use DNS tunneling? DNS is a well-established protocol. Cybercriminals who know what they’re doing can potentially wreak havoc even with small data streams.
The SANS whitepaper suggests two main categories of DNS tunneling detection: payload analysis and traffic analysis. With payload analysis, you can detect specific DNS tunneling utilities. Traffic analysis might look for specific attributes such as volume of DNS traffic, number of hostnames per domain, geographic location, and domain history.
DNS is a trusted protocol. But according to an article from InfoWorld, the query/reply nature of DNS contributes to its vulnerability. And hackers don’t need to be experts. There are complete toolkits available for their evil deeds. In the article, Craig Sanderson offers some suggestions to defend against DNS tunneling:
Infosec Institute offers another helpful list. Among their suggestions, they say to look for requests and queries that have more than 64 characters. This is likely DNS tunneling traffic. Use the split horizon DNS concept to separate internal addresses from the internet. Look for a large number of DNS TXT. Use next generation firewalls like Paloalto and Fire Eye.
Obviously we can’t solve everyone’s DNS security issues here. Every IT infrastructure is different. How and where you apply DNS protections is up to you. The best we can do is make you aware of a dangerous hack that might not get as much attention as others. DNS tunneling is another in a long list of things to watch out for as you safeguard your network. Best of luck with that.
Server hardening is a necessary process. And it’s a never-ending one. From the moment you pull the machine out of the box (or create it in the virtual environment), it pays to be thinking about security. But server hardening can do more than keep your machine safe. It will help with performance, and it can […]
Over the years, DNS Failover has become a very popular service primarily due to the fact that it is relatively inexpensive and fairly easy to deploy and manage. But is it the right solution for your organization? In this article, we’ll outline what DNS failover is and provide an overview of the benefits and appropriate uses for […]
According to the FBI, ransomware became a billion dollar industry in 2016. That is right, $1 billion. If ransomware were a legitimate industry, it would be the focus of case studies in every business school in the world as its growth is unprecedented. This growth is attributed to four primary reasons. The amount of money […]
If you went to bestbuy.com and the site was unavailable, how long would it take for you to go to amazon.com or elsewhere to find what you wanted? On average, it’s less than 30 seconds; it used to be much longer, but our society has grown impatient. If you’re not available when customers are looking […]